Network Address Translation.

Transcription

1 14 CHAPTER 14 Network Address Translation Objectives Describe Network Address Translation Understand the operational terminology of Network Address Translation Configure Network Address Translation to address a variety of network requirements Verify Network Address Translation operation. If you add Network Address Translation configurations to your network, you can place an additional security barrier between your internal clients and the Internet. In addition, this technology also enables you to share a single Internet IP address between many internal clients, which minimizes connection costs.. Network Address Translation uses confusing terms to describe the location of an IP address on the network. Understanding these terms is key to configuring and troubleshooting Network Address Translation.. There are many options for configuring Network Address Translation. Although the most popular configuration focuses around sharing a single Internet IP address for internal clients, many others can address common network needs.. After you have configured Network Address Translation, you need to view a snapshot of your IP address mappings to ensure unauthorized access is prevented and verify the configuration has been applied successfully.

2 Outline Introduction 498 NAT Concepts 499 Static NAT 500 Dynamic NAT 501 NAT Overload and Port Address Translation 502 NAT Terminology 502 NAT Configurations 505 Static NAT 505 Dynamic Pool Translations 511 NAT Overload 515 Verifying NAT Operation 520 Chapter Summary 521 Apply Your Knowledge 522

3 Study Strategies. Read the information presented in the chapter, paying special attention to tables, Notes, and Exam Alerts.. Focus on the Network Address Translation terminology. Understanding these terms is paramount to understanding the NAT configuration as a whole.. When studying, focus on the Static NAT configurations first because these are the simplest. After you master this configuration, move on to NAT Overload, followed by Dynamic NAT.

4 498 Chapter 14: Network Address Translation Introduction I can still remember the very first time I saw Network Address Translation (NAT) in action. This is the most amazing thing I have ever seen, I said, with the same awestruck feeling as the first time you walk up and look over the Grand Canyon in Arizona. Okay, perhaps it wasn t that fantastic, but at the same time, NAT is definitely at the top of my list of configurations I love to set up. Despite it being one of the most widely implemented concepts in the world of network technology, NAT is the newest topic added to the CCNA exam. This is most likely because of its configuration complexity: It requires a thorough understanding of standard access lists to successfully deploy. However, Cisco is very wise in adding it to the entry-level exam because nearly every network in the world uses NAT in some shape or form. Even home networks using Linksys, D-Link, and Netgear routers use NAT. NAT was originally developed through a combination of Cisco engineers and the Internet Engineering Task Force (IETF) group in 1994 to overcome the quickly approaching IP address shortage. With the Internet popularity growing at a rate far faster than expected, the remaining public IP addresses would soon be depleted. At that time, TCP/IP version 6 (IPv6, which would have solved the IP address shortage) had been created in a draft status, but would require a worldwide upgrade of network devices and operating system software to successfully deploy. Rather than upgrading all network-capable devices, the focus was placed on creating a gateway device that could enable multiple network devices to share a single IP address. As this concept materialized, NAT was born. Theoretically, a router running NAT is capable of allowing more than 60,000 devices to share a single Internet-valid IP address. Practically speaking, the router resources (processor and memory) and WAN bandwidth are depleted long before that limit is reached. With thousands of devices capable of using a single, public IP address, the life of TCP/IP version 4 (IPv4) has been extended years beyond what was thought possible. NAT also acts as a natural security boundary by eliminating end-to-end traceability. If your router only has a single IP address that is connected to the Internet, the public IP address, which is assigned to the outside interface, does not belong to any one internal host. For example, imagine that your router s public IP address is , and all your internal hosts come from the subnet /24. Whenever one of the internal hosts accesses the Internet, it is seen as However, if anyone from the Internet attempts to access , the address maps to no individual host, which makes the internal network invisible to the Internet.

5 NAT Concepts 499 NAT Concepts Although the introductory discussion of NAT hits the most popular uses of the technology, NAT can be used for much more. Before you go deeper into the specific uses, though, you must first understand the foundation concepts. In its core function, Network Address Translation does just that: translate addresses. It can take any IP address and make it look like another. This is why the creative geniuses behind TCP/IP defined three ranges of private IP addresses in RFC The following is a list of the three private address ranges:. Class A Class B Class C TIP You need to know the private IP address ranges. You might notice that a private address range is defined for each class of address. This gives a company more flexibility to use different ranges based on the company size. As a general statement, most small companies use the X.X range, most medium companies use the X.X X.X ranges, and most large companies use the 10.X.X.X ranges. Remember, this is just a general statement, not a solid rule. It is commonly stated that these private addresses are non-routable, which is not true at all. Thousands of companies around the world use these addresses and route them throughout their private networks just fine. This misunderstanding came about because all Internet Service Providers (ISPs) use access lists to block these addresses from entering or leaving their networks. It is accurate to say that these private addresses are not Internet routable because, if they were, there would be thousands of duplicate IP address conflicts every single day. As shown in Figure 14.1, networks connected to the Internet typically use these private IP addresses internally and then translate them when attempting to access the Internet. This enables you to have many duplicate addresses around the world without any conflicts because they never communicate directly. This can cause problems with overlapping IP addresses when companies merge, but NAT can even be engineered to solve these problems.

6 500 Chapter 14: Network Address Translation Large Company C Internal Addressing Scheme: /8 Large Company B Internal Addressing Scheme: /8 Large Company A Internal Addressing Scheme: /8 Translates to Translates to Translates to Medium Company D Internal Addressing Scheme: /16 Translates to Internet Translates to Translates to Translates to Small Company G Internal Addressing Scheme: /24 Medium Company E Internal Addressing Scheme: /16 Small Company F Internal Addressing Scheme: /24 FIGURE 14.1 Network that uses a NAT configuration with private addressing. With this foundation in place, you re ready to examine the styles of NAT. Static NAT Static NAT is the simplest form of NAT. It enables you to map one IP address to another in a one-to-one relationship. This is typically used to allow access to internal servers from the Internet that are using a private address space. In Figure 14.2, there are three servers located on the internal network: a web server, an FTP server, and an server. These three servers are assigned to a private IP address space ( /24) and would typically be inaccessible from the Internet. By using Static NAT, you can map the private IP addresses to a public IP on a one-to-one basis, enabling these servers to be accessed from the Internet using the three public IP addresses shown in Figure This Static NAT mapping goes both ways. When someone from the Internet accesses , it is translated to the internal address Likewise, when the server accesses the Internet, it is seen as Although this form of NAT does not allow multiple internal hosts to share a single address, it does implement the security features of NAT by eliminating end-to-end traceability and enables servers that are sharing your private network to be accessed from the Internet.

7 501 NAT Concepts Web DNS Internet Static NAT Table FIGURE 14.2 Static NAT address mappings. Static NAT can also be configured to statically translate individual TCP or UDP ports. This awesome feature enables you to take a single IP address and translate one or many ports to either the same host or many different hosts. For example, you might have a router that has the external IP address You can statically configure NAT so that when your router receives a request on , using TCP port 80 (HTTP), it redirects it to the internal address on TCP port 80. However, when it receives a request on , using TCP port 21 (FTP), it redirects it to the internal address on TCP port 21. In this way, NAT can act as a type of firewall (allowing only some ports through to specific hosts) and give you the flexibility of offering many services through the same IP address. Using Static NAT with ports even makes it possible to redirect port numbers. For example, you might be using one of those scandalous DSL or cable Internet providers that block certain port numbers to keep you from running a web server from home. You can configure Static NAT in such a way that when your router receives a request on TCP port 800 it redirects it to an internal IP address on TCP port 80. Dynamic NAT Static NAT is superb if you have a few hosts that need to be translated; however, if many hosts need to be translated, creating static entries for each one can be quite tedious. This is where dynamic NAT can help. Dynamic NAT enables you to define a pool of addresses to be translated along with a pool of addresses to which they are to be translated. The router then dynamically maps these IP addresses as the need arises. This is not the same thing as allowing multiple hosts to share the same IP address (known as NAT overloading). Dynamic NAT makes many one-to-one mappings without requiring you to configure them statically.

8 502 Chapter 14: Network Address Translation NAT Overload and Port Address Translation Now we come to the form of NAT that made it famous. NAT Overload, also known as Port Address Translation (PAT), enables a single IP address to support many internal clients. Whenever a host establishes communication with a server outside the NAT firewall, it tries to access a specific port number (known as the destination port). However, it also uses a source port number to allow for return traffic (this is discussed more thoroughly in Chapter 13, Access Lists ). Figure 14.3 shows how NAT Overload also incorporates this source port number into the translation : : 5440 NAT Translation Table : 1812 = : : 5540 = : : 2112 = : : 2112 NAT Router FIGURE 14.3 NAT Overload uses port numbers to make translations unique. The hosts communicating randomly generate the source ports. The NAT router then appends these to the public IP address to make the source socket (or IP address and port number combination) unique. When the Internet server replies to whatever request was made, it does so to the source IP and socket. When the NAT router receives the reply it is then able to redirect it to the correct internal host by referring to its NAT translation table. Because hosts use random source ports, there is very little possibility that two hosts will choose the same source port number (one chance out of some 60,000); however, if two hosts do happen to choose the same port number, the NAT device causes one of the device sessions to reset and choose a different port number. By using unique port numbers, the router can originate thousands of requests from its single Internet IP address. This provides Internet access to the internal network clients while using just one Internet address. NAT Terminology Believe it or not, setting up NAT is not very difficult; it s learning the terminology used with NAT that can cause your brain to fry. The first time you see these terms, it may make no sense to you at all, and that s just fine. It takes some time to soak in. Now, keep in mind that these are not Cisco terms, rather, they are an industry standard way of referring to the four different points in a NAT-based network. Before trying to understand four NAT address descriptions, you must understand the building blocks used to construct these terms:

9 503 NAT Terminology. Inside/Outside These NAT descriptors refer to where a device is physically located. If a device is inside, it is under your control; it is in your network. If a device is outside, it is not under your control; it is outside your network.. Local/Global These NAT descriptors refer to where an IP address is located from the perspective of a NAT device. The NAT device is a network device that has its address translated through a NAT router. It could be a PC, a server, an XBox, or any other type of host that has a private address that is translated to a real address on the Internet. If the IP address is considered local, it is seen as a device on the local subnet from the perspective of a NAT device (this may or may not be true). If the IP address is considered global, it is seen as not on the local subnet from the perspective of a NAT device. If that doesn t sound confusing, just wait until we start combining those terms together for the four NAT address descriptions. Figure 14.4 shows a visual location of these address on the network. Internet Inside Local Addresses Outside Global Address Inside Global Address /24 NAT Router Outside Inside Outside Local Address FIGURE 14.4 terminology. NAT

10 504 Chapter 14: Network Address Translation. Inside Local Addresses These addresses are the easiest to understand because they refer to everything inside your network. Remember the word constructs discussed just a moment ago: An address inside is physically located inside your network. From the perspective of the NAT device, it is local, meaning it is seen on the internal network. If an inside local address were to communicate with another inside local address, that communication would be described as standard LAN connectivity. No routers would be needed.. Inside Global Addresses Now the terms begin to mix a little bit. Let s break this down into the individual pieces: First off, the address is inside, which means that it is physically located on your network; it is under your control. Global means that it is seen as an IP address not on the local subnet from the perspective of one of your NAT devices. Put all this together and you are left with the Internet valid IP address assigned to your router that is directly connected to the Internet. This is where a fundamental understanding of inside and outside can really help; if the address were an outside global, it would not be under your control, meaning that it could be any of the millions of devices attached to the Internet.. Outside Global Addresses Outside global addresses refer to devices that are physically outside your network outside your control. These addresses are global, meaning that the NAT devices on the inside of your network see these as non-local addresses. Put these two pieces together and you have a description of a standard, Internet IP address.. Outside Local Addresses I saved the best for last. Outside local addresses confused me for quite some time until I fully understood the capabilities of NAT. First let s look at the pieces: This address is physically outside your network, out of your control, out on the Internet. However, it appears to NAT devices as an IP address on the local subnet. What this describes is an Internet host translated as it comes through the NAT router into your local network. You can think of this as reverse NAT, or just NAT in the other direction. As shown in Figure 14.4, when the cisco.com web server speaks to the internal hosts on the /24 network, they believe it to be colocated on the local subnet with them. They come to this conclusion because the NAT router translates the outside global address to something local (perhaps , the NAT gateway s address). TIP Understanding the four NAT address descriptors listed is not only useful for the CCNA exam, but also for understanding any real-world NAT documentation.

11 NAT Configurations 505 NAT Configurations Configuring NAT is not all that bad as long as you focus in on your objective. I mention this because the syntax can be quite daunting when you see all the options available to you. Advanced NAT configurations can get quite complex. TIP For the CCNA exam, you should be able to perform these three NAT-related tasks:. Configure Static NAT, translating an inside global address (or port number) to an internal host, such as a web, DNS, or server.. Configure Dynamic NAT, translating a pool of inside local addresses to a pool of outside global addresses.. Configure NAT Overload, translating many inside local addresses to a single inside global address. Of these three, I would especially focus on the first and third configurations because they are more common in the real world. With that said, it s time to walk through these configurations one at a time. Static NAT As discussed earlier, Static NAT performs a one-to-one mapping from an inside local address to an inside global address (in English: from a private to a public address). This could mean that all traffic is translated between these addresses, or it could mean that you just choose certain ports through which to translate. As I go through the syntax, I expand a little more on this. Figure 14.5 adds a network diagram to this syntax. Internal Network /24 Web Server Server NAT_Router Internet DNS Server FIGURE 14.5 Static NAT configuration.

12 506 Chapter 14: Network Address Translation Before you get into the syntax, I want to make sure you ve got the terms down. The internal network consists of the /24 addresses. In NAT terms, these are all inside local addresses. The router has a single Internet IP address of This is considered the inside global address. The rest of the hosts on the Internet that will be accessing your internal servers all have outside global addresses.. Scenario 1: Configure a Static NAT translation so that if any request on any port is received on the inside global address of the NAT_Router, it forwards that request to the Internal Web server. Here we go! First, get familiar with the current interfaces: NAT_Router#show ip interface brief Interface IP-Address OK? Method Status Protocol FastEthernet YES manual up up Serial YES manual up up Everything is as shown in the Figure The first step in configuring NAT is to identify your inside and outside interfaces to the router. This is done on a per-interface basis: NAT_Router#configure terminal Enter configuration commands, one per line. End with CNTL/Z. NAT_Router(config)#interface fastethernet0 NAT_Router(config-if)#ip nat inside!identifies internal interface NAT_Router(config-if)#exit NAT_Router(config)#interface serial0 NAT_Router(config-if)#ip nat outside!identifies external interface NAT_Router(config-if)#exit NAT_Router(config)# With these interfaces identified to the router, it now knows which interface(s) are considered outside and inside. Setting up the Static NAT translation is a little more difficult. Static NAT configurations are set up in global configuration mode with the ip nat syntax: NAT_Router(config)#ip nat? inside Inside address translation log NAT Logging outside Outside address translation pool Define pool of addresses service Special translation for application using non-standard port translation NAT translation entry configuration The primary keywords to consider are the inside and outside keywords. These two commands perform exactly the same function from different perspectives. If you choose the inside keyword, the syntax that follows will translate an inside address to an outside address. If you choose the outside keyword, the syntax that follows translates an outside address to an

13 507 NAT Configurations inside address. Because NAT translations are always two-way, the keyword you choose influences the order you use for the addresses in the upcoming syntax. To save confusion, I would recommend picking one method (inside or outside) and using it indefinitely. Many moons ago, I chose to use inside, so that s what I ll do here: NAT_Router(config)#ip nat inside? destination Destination address translation source Source address translation The choice now is whether to translate the inside source IP address or inside destination IP address. Well, if you are looking from the perspective of the inside device (what was chosen when the inside keyword was used rather than outside), you need to translate the internal device s source IP address rather than its various destination IP addresses (you see now how this can get confusing if you alternate between inside and outside keywords?). NAT_Router(config)#ip nat inside source? list Specify access list describing local addresses route-map Specify route-map static Specify static local->global mapping At this point, the router wants to know what type of translation you would like to perform. The list keyword is used to perform dynamic NAT translations. Using route-maps for NAT is far beyond the scope of the CCNA (and perhaps even the CCNP). In this case, you need to define a static translation. NAT_Router(config)#ip nat inside source static? A.B.C.D Inside local IP address esp IPSec-ESP (Tunnel mode) support network Subnet translation tcp Transmission Control Protocol udp User Datagram Protocol The router would now like to have either the inside local address or the protocol information. This scenario requests a full translation from the router s inside global address to the web server s inside local address. If you were choosing to use NAT to translate individual ports, you would use either TCP or UDP protocols. For this scenario, you can enter the web server s inside local address. NAT_Router(config)#ip nat inside source static ? A.B.C.D Inside global IP address The router now needs to know what inside global address to use. In this example, the router s inside global address is , which is the same IP address assigned to its Serial0 interface. In the real world, you have the option of purchasing blocks of IP addresses from your ISP. You can then translate each one of these public addresses to an inside local address without the address even being assigned to an interface! All you need to do is create Static NAT mappings for

14 508 Chapter 14: Network Address Translation each one of the addresses that you have been assigned by the ISP, and your router automatically responds to them on the interface(s) you have designated as ip nat outside interfaces. In this example, there is only a single IP address, so that s plugged in here: NAT_Router(config)#ip nat inside source static ? extendable Extend this translation when used no-alias Do not create an alias for the global address <cr> The extendable keyword enables you to have multiple inside global addresses mapped to the same inside local address (all the mappings must be marked with the extendable keyword). The no-alias command enables you to set up a one-way NAT mapping from the inside to outside. (The outside interface does not pass requests through to the inside host, but the inside host is translated to the outside.) In this case, you re not adding either of these special functions, so you can just press the Enter key. Awesome! You can verify this configuration by using either the show running-config command or the much more concise show ip nat translations: NAT_Router#show ip nat translations Pro Inside global Inside local Outside local Outside global Because this is a manually defined static entry, only the inside global and inside local fields are populated. If a host tried to connect to this entry (to access the internal web server), you would see the outside local and outside global columns populate as well. Let me generate some traffic from the outside to show you what this will look like: NAT_Router#show ip nat translations Pro Inside global Inside local Outside local Outside global tcp : : : :3367 In this case, I had an outside host access the address with a web browser (TCP port 80). You can see that it kept the original static entry and added a line below it, showing the outside local and outside global addresses of the external client. In this case, they are the same because the outside host appears as an outside host to the web server (the outside local address). The port 3367 is the dynamically generated source port number of the outside host, port 80 is the destination port number sent to the web server. Scenario #1, accomplished!. Scenario 2: Configure two additional Static NAT translations. If the NAT_Router receives a request to its inside global address that uses SMTP it should be sent to the internal server. If it receives a DNS request on the inside global address, it should forward it to the internal DNS server. All other traffic should still remain forwarding to the internal web server.

15 509 NAT Configurations Wow! What a scenario! To tackle this, you must remember the universal rule of routing: The more specific matches always win. So, if you were to add specific Static NAT entries that forward just a single port number, it would always overrule the forward all entry configured for the web server in Scenario #1. Let s walk through these using context-sensitive help one more time, with a little less commentary. NAT_Router(config)#ip nat? inside Inside address translation log NAT Logging outside Outside address translation pool Define pool of addresses service Special translation for application using non-standard port translation NAT translation entry configuration NAT_Router(config)#ip nat inside? destination Destination address translation source Source address translation NAT_Router(config)#ip nat inside source? list Specify access list describing local addresses route-map Specify route-map static Specify static local->global mapping NAT_Router(config)#ip nat inside source static? A.B.C.D Inside local IP address esp IPSec-ESP (Tunnel mode) support network Subnet translation tcp Transmission Control Protocol udp User Datagram Protocol So far, the Static NAT mapping has been configured in exactly the same fashion as the previous one. Now we ll add a little twist: Because we are just forwarding specific ports to the internal server, we ll need to choose the protocol those ports are using. The scenario called for us to forward SMTP traffic to the internal server and DNS traffic to the internal DNS server. SMTP uses TCP port 25 and DNS traffic uses UDP port 53 (remember this from the access-list chapter?), so here s how the syntax will continue. First, we ll focus on creating the map for the server: NAT_Router(config)#ip nat inside source static tcp? A.B.C.D Inside local IP address NAT_Router(config)#ip nat inside source static tcp ? < > Local UDP/TCP port NAT_Router(config)#ip nat inside source static tcp ? A.B.C.D Inside global IP address interface Specify interface for global address

16 510 Chapter 14: Network Address Translation All righty then. A specific Static NAT mapping has been configured that uses the TCP protocol and pointed to the inside local address of with the inside local port 25. Isn t that interesting? Now it s time to specify an inside local port as well! This opens up a bunch of possibilities. But before I expand on those, let s finish the command: NAT_Router(config)#ip nat inside source static tcp ? < > Global UDP/TCP port NAT_Router(config)#ip nat inside source static tcp ? extendable Extend this translation when used no-alias Do not create an alias for the global address <cr> NAT_Router(config)#ip nat inside source static tcp NAT_Router(config)#^Z NAT_Router#show ip nat translations Pro Inside global Inside local Outside local Outside global tcp : : Did you see that? Not only was the command finished and the Static NAT mapping added to the table, but now you can see the possibility for the global TCP/UDP port! This enables you to perform the fantastic configuration of port redirection. Here s the idea: Perhaps for security reasons, you didn t want to have the internal server answering SMTP requests on port 25, so the internal port on the server is changed to Now, none of the internal clients can access that server via port 25; however, the NAT router can redirect incoming Internet requests on port 25 to the inside local port 5525! All this is seamless to the Internet clients. Are you as excited about this as I am? Finally, let s add the last NAT translation for the DNS server: NAT_Router(config)#ip nat inside source static udp? A.B.C.D Inside local IP address NAT_Router(config)#ip nat inside source static udp ? < > Local UDP/TCP port NAT_Router(config)#ip nat inside source static udp ? A.B.C.D Inside global IP address interface Specify interface for global address NAT_Router(config)#ip nat inside source static udp ? < > Global UDP/TCP port

17 511 NAT Configurations NAT_Router(config)#ip nat inside source static udp NAT_Router(config)#^Z NAT_Router#show ip nat translations Pro Inside global Inside local Outside local Outside global tcp : : udp : : Perfect! Three Static NAT entries have now been added. Before moving on, let me call your attention to the context-sensitive help after the local port information has been entered. Take a look: NAT_Router(config)#ip nat inside source static udp ? A.B.C.D Inside global IP address interface Specify interface for global address So far, you have been entering the inside global address that you would like to translate. However, there may be an occasion that you do not know what your global address may be (primarily when using DHCP for your Internet address). In this case, you can use the interface keyword rather than an inside global address to translate requests received on the outside interface to internal hosts. This can be especially useful when using a Cisco router to perform NAT on a cable or DSL connection at a home. NAT_Router(config)#ip nat inside source static udp interface serial 0 53 Dynamic Pool Translations The next step is to move from the manual, Static NAT entries to allowing the router to do the work for you. Dynamic NAT enables you to define a pool of addresses to translate from and a pool of addresses to translate to. The primary application of Dynamic translations is to temporarily overcome overlapping IP addresses. For example, a company might use subnets of the /8 address range for their internal addressing. This company might merge with another company that uses the same internal address space (this happens all the time). The IT staff could implement an intermediary design that used NAT to translate between the two networks. When performing this type of translation, hosts must refer to each other by hostname rather than IP address, thus requiring a DNS server be in place. When the NAT router sees a reply from a remote DNS server, it changes the remote IP address to something other than an overlapping IP address. Although the CCNA-level NAT does not get deep into design for overlapping IP addresses, you need to know the basic configurations of Dynamic NAT. These configurations also act as springboards into the NAT Overload configuration. First, examine Figure 14.6 for a look at a Dynamic NAT network diagram.

18 512 Chapter 14: Network Address Translation Internal Network /24 Internal Network / NAT_Router FIGURE 14.6 translations. Dynamic NAT. Scenario 3: Configure the NAT_Router so that hosts from the /24 network are seen as IP addresses when accessing the hosts in the /24 network. Likewise, the hosts from the /24 network should be seen as IP addresses when accessing the hosts in the /24 network. This configuration is known as a two-way Dynamic NAT configuration. The truth is, the NAT_Router in the middle of the diagram is not even doing any routing. It s just translating between the subnets. If you ever aspire to move on and tackle the CCIE lab, these sorts of tricks are key to have in your tool belt. Here s the configuration walkthrough: 1. As before, configure the interfaces as NAT outside and inside interfaces. In this case, it does not really matter which one is set up as inside or outside because just a private network is being translated. NAT_Router#show ip interface brief Interface IP-Address OK? Method Status Protocol FastEthernet YES manual up up Serial YES manual up up NAT_Router#conf t Enter configuration commands, one per line. End with CNTL/Z. NAT_Router(config)#interface fastethernet0 NAT_Router(config-if)#ip nat inside NAT_Router(config-if)#exit NAT_Router(config)#interface serial0 NAT_Router(config-if)#ip nat outside NAT_Router(config-if)#exit NAT_Router(config)#

19 513 NAT Configurations 2. Now you are introduced to a new concept: the NAT pool. This pool defines to what addresses you will translate. Based on the scenarios, you need to create two NAT pools: one for the range and one for the range. NAT_Router(config)#ip nat? inside Inside address translation log NAT Logging outside Outside address translation pool Define pool of addresses service Special translation for application using non-standard port translation NAT translation entry configuration NAT_Router(config)#ip nat pool? WORD Pool name NAT_Router(config)#ip nat pool NETWORK1? A.B.C.D Start IP address netmask Specify the network mask prefix-length Specify the prefix length NAT_Router(config)#ip nat pool NETWORK ? A.B.C.D End IP address NAT_Router(config)#ip nat pool NETWORK ? netmask Specify the network mask prefix-length Specify the prefix length NAT_Router(config)#ip nat pool NETWORK prefix-length? <1-32> Prefix length NAT_Router(config)#ip nat pool NETWORK prefix-length 24 NAT_ROUTER(config)# This command has created a NAT pool called Network1 that defines the correct address range necessary. Notice that this is one of the first commands you have seen that enables you to use CIDR notation (also known as bit notation ) for your subnet mask. You now need to create a second NAT pool for the other network range. NAT_Router(config)#ip nat pool NETWORK prefix-length You must now create a couple of standard access lists that will define the addresses that will be translated. This is one of the non-security uses of an access list. NAT_Router(config)#access-list 50 permit NAT_Router(config)#access-list 51 permit

20 514 Chapter 14: Network Address Translation 4. Now you can put all the pieces together and turn on the NAT translation between the networks. The first thing is to define a translation going from the /24 subnet to the /24 network. NAT_Router(config)#ip nat? inside Inside address translation log NAT Logging outside Outside address translation pool Define pool of addresses service Special translation for application using non-standard port translation NAT translation entry configuration NAT_Router(config)#ip nat inside? destination Destination address translation source Source address translation NAT_Router(config)#ip nat inside source? list Specify access list describing local addresses route-map Specify route-map static Specify static local->global mapping NAT_Router(config)#ip nat inside source list? <1-2699> Access list number for local addresses WORD Access list name for local addresses NAT_Router(config)#ip nat inside source list 50? interface Specify interface for global address pool Name pool of global addresses NAT_Router(config)#ip nat inside source list 50 pool? WORD Pool name for global addresses NAT_Router(config)#ip nat inside source list 50 pool NETWORK2? overload Overload an address translation <cr> NAT_Router(config)#ip nat inside source list 50 pool NETWORK2 NAT_Router(config)# If you were to read the preceding line of syntax in English, it would sound something like this: Translate the internal addresses defined in access-list 50 into the pool of addresses defined in the NAT pool NETWORK2. Keep a mental note of that overload keyword you see in the final-context sensitive help; you ll make use of that soon enough. For now, let s define the translation going back the other way: NAT_Router(config)#ip nat outside source list 51 pool NETWORK1 NAT_Router(config)#

21 515 NAT Configurations Notice that this time an outside-to-inside translation was configured because the interface was marked as connected to the /24 subnet as the outside interface. At this point, the networks are translating quite well. Remember that the pool of 25 addresses defined earlier allows only 25 consecutive sessions between the subnets. Any consecutive sessions above that number will fail. NAT Overload Finally it s time to explore the feature that made NAT famous around the network world: NAT Overload. NAT Overload is the official name of the feature that allows multiple hosts to share a single IP address. When Microsoft began allowing their servers to perform routing with the Routing and Remote Access administrative tools, they decided to call the feature Port Address Translation (PAT), which caught on in many circles. I prefer to use the former of the two terms because NAT can statically translate TCP or UDP ports to different inside local address; the true port address translation. The configuration of NAT Overload is a piece of cake, especially now that you ve seen the prior Dynamic NAT configuration. Let s walk through a new scenario step by step. In Figure 14.7, a typical network is connected to the Internet through the NAT_Router. The router needs to be configured to perform NAT Overload to enable all the internal clients to access the Internet through a single IP address. Notice as well that the Internet IP address is assigned via DHCP, so there s no way to be sure what the inside global address is at any given point and time. Here goes! Internal Network /16 Web Server NAT_Router DHCP-Assigned Internet IP Internet FIGURE 14.7 NAT Overload configuration.. Scenario 4: Configure the network pictured in Figure 14.7 for NAT Overload, allowing all internal clients to access the Internet. In addition, configure a static entry that sends any incoming request on TCP port 80 or 443 to the internal web server.

22 516 Chapter 14: Network Address Translation This first thing is to become familiar with NAT_Router: NAT_Router#show ip interface brief Interface IP-Address OK? Method Status Protocol FastEthernet YES manual up up Serial YES DHCP up up Now it s time to identify the interfaces to the NAT process: NAT_Router#configure terminal Enter configuration commands, one per line. End with CNTL/Z. NAT_Router(config)#interface fastethernet 0 NAT_Router(config-if)#ip nat inside NAT_Router(config-if)#exit NAT_Router(config)#interface serial 0 NAT_Router(config-if)#ip nat outside Now, just as with the Dynamic NAT, you need to create an access list that identifies the addresses to be translated by NAT. Use a named access list this time: NAT_Router(config)#ip access-list? extended Extended Access List log-update Control access list log updates logging Control access list logging standard Standard Access List NAT_Router(config)#ip access-list standard? <1-99> Standard IP access-list number < > Standard IP access-list number (expanded range) WORD Access-list name NAT_Router(config)#ip access-list standard INTERNAL_ADDRESSES NAT_Router(config-std-nacl)#permit? Hostname or A.B.C.D Address to match any Any source host host A single host address NAT_Router(config-std-nacl)#permit ? A.B.C.D Wildcard bits log Log matches against this entry <cr> NAT_Router(config-std-nacl)#permit Perfect! Now on to the final command that will enable NAT Overload for the addresses that have been defined. Once again, the ip nat syntax from Global Configuration mode is used to set this up: NAT_Router(config)#ip nat? inside Inside address translation log NAT Logging outside Outside address translation

23 517 NAT Configurations pool Define pool of addresses service Special translation for application using non-standard port translation NAT translation entry configuration NAT_Router(config)#ip nat inside? destination Destination address translation source Source address translation NAT_Router(config)#ip nat inside source? list Specify access list describing local addresses route-map Specify route-map static Specify static local->global mapping This is where the router is asking you to specify the internal addresses to be translated. Previously, the static keyword was used to perform 1:1 IP address or port translations; now the list keyword designates a list of internal addresses to be translated. The access list just created specifies which internal addresses will translate. NAT_Router(config)#ip nat inside source list? <1-2699> Access list number for local addresses WORD Access list name for local addresses NAT_Router(config)#ip nat inside source list INTERNAL_ADDRESSES? interface Specify interface for global address pool Name pool of global addresses Now the router needs to know what inside global address the inside local addresses should use. You can designate this either by using a NAT pool (as shown with the Dynamic NAT configuration), or by specifying an outgoing interface to use. Because you do not know what inside global address you will have (because of the DHCP configuration), you need to specify the outgoing interface. NAT_Router(config)#ip nat inside source list INTERNAL_ADDRESSES interface? Async Async interface BVI Bridge-Group Virtual Interface CTunnel CTunnel interface Dialer Dialer interface FastEthernet FastEthernet IEEE Lex Lex interface Loopback Loopback interface Multilink Multilink-group interface Null Null interface Serial Serial Tunnel Tunnel interface Vif PGM Multicast Host interface Virtual-Template Virtual Template interface Virtual-TokenRing Virtual TokenRing NAT_Router(config)#ip nat inside source list INTERNAL_ADDRESSES interface serial 0?

24 518 Chapter 14: Network Address Translation overload Overload an address translation <cr> NAT_Router(config)#ip nat inside source list INTERNAL_ADDRESSES interface serial 0 overload There it was! The magic overload keyword. That s all it takes to turn on NAT Overload for the interface connected to the Internet. The router will now translate thousands of internal hosts through a single IP address. One more thing needs to be done to complete the scenario: Add the Static NAT translation for the web server. By adding this configuration, you combine NAT Overload with Static NAT, which is a very common configuration. Here goes: NAT_Router(config)#ip nat? inside Inside address translation log NAT Logging outside Outside address translation pool Define pool of addresses service Special translation for application using non-standard port translation NAT translation entry configuration NAT_Router(config)#ip nat inside? destination Destination address translation source Source address translation NAT_Router(config)#ip nat inside source? list Specify access list describing local addresses route-map Specify route-map static Specify static local->global mapping NAT_Router(config)#ip nat inside source static? A.B.C.D Inside local IP address esp IPSec-ESP (Tunnel mode) support network Subnet translation tcp Transmission Control Protocol udp User Datagram Protocol NAT_Router(config)#ip nat inside source static tcp? A.B.C.D Inside local IP address NAT_Router(config)#ip nat inside source static tcp ? < > Local UDP/TCP port NAT_Router(config)#ip nat inside source static tcp ? A.B.C.D Inside global IP address interface Specify interface for global address NAT_Router(config)#ip nat inside source static tcp interface? Async Async interface

25 519 NAT Configurations BVI Bridge-Group Virtual Interface CTunnel CTunnel interface Dialer Dialer interface FastEthernet FastEthernet IEEE Lex Lex interface Loopback Loopback interface Multilink Multilink-group interface Null Null interface Serial Serial Tunnel Tunnel interface Vif PGM Multicast Host interface Virtual-Template Virtual Template interface Virtual-TokenRing Virtual TokenRing NAT_Router(config)#ip nat inside source static tcp interface serial 0? < > Global UDP/TCP port NAT_Router(config)#ip nat inside static tcp interface serial 0 80 Beautiful. This has added the line that will translate incoming requests to the web server in addition to performing NAT Overload for all other internal clients. If some internal clients are accessing the Internet, you can verify that the translations are working properly: NAT_Router#show ip nat translation Pro Inside global Inside local Outside local Outside global tcp : : : :80 tcp : : : :80 udp : : : :53 udp : : : :53 udp : : : :53 udp : : : :123 tcp : : : :80 tcp : : : :80 tcp : : : :110 tcp : : : :110 udp : : : :53 tcp : : !Web Server udp : : : :53 udp : : : :53 tcp : : : :110 tcp : : : :110 tcp : : : :80 tcp : : : :80 udp : : : :5061 udp : : : :5061 udp : : : :53

26 520 Chapter 14: Network Address Translation Holy cow! They sure are working, and it looks like the internal clients have taken advantage of that fact. If you look down the list of inside local addresses, you can see what inside hosts are accessing the Internet (along with what source port they are using to establish the request). Also, take a look at the inside global address; notice anything odd? It s the same address the whole way down, just using different port numbers. This is the perfect picture of NAT Overload. Finally, take a look at the highlighted translation. This is the Static NAT entry that was added for the internal web server. There are no outside local/global addresses for this because it is not in use at this time. Verifying NAT Operation Although a show running-config command will always be useful to show what commands you have entered into your router to get NAT running, you can use a few commands to ensure NAT is operational. The primary command you have seen may times up to this point: show ip nat translations. This command gives you a snapshot view of what current NAT translations are active on your router. Its sidekick command, show ip nat statistics, gives you a view of how many translations are currently active, how many total translations have occurred, and how much of your NAT pool is being used (if performing Dynamic NAT). A sample output of this command follows: NAT_Router#show ip nat statistics Total active translations: 12 (0 static, 12 dynamic; 11 extended) Outside interfaces: Serial0 Inside interfaces: FastEthernet0 Hits: Misses: Expired translations: Dynamic mappings: -- Inside Source [Id: 1] access-list NAT_TRANSLATION interface Ethernet0 refcount 4 Finally, you may encounter a situation where a bad NAT translation is kept in the table. This happens frequently when you are changing your internal IP address scheme in some way, especially when you are changing individual host addresses that were just accessing the Internet. Although waiting for some time for the translations to time out solves the problem, impatient administrators may want to use the clear ip nat translation * command to wipe out any dynamically created NAT entries. This is not likely to disrupt service to your internal network because active NAT translations immediately re-create themselves as the internal host sends or receives data to or from the Internet.

27 Chapter Summary 521 Chapter Summary Network Address Translation (NAT) has become so successful for prolonging the life of IPv4 that it has now become a prohibitor of a progressive move to TCP/IP version 6. Because of its widespread use, NAT features have grown over the years to provide a solution to almost any network situation. A company planning to use NAT will deploy one of the three private address ranges on their internal network, which are prevented from routing to the Internet. They will then use one of the three forms of NAT Static NAT, Dynamic NAT, or NAT Overload to translate these private ranges onto the Internet. Most networks use a combination of NAT Overload and Static NAT to accomplish most major network objectives. Most of the challenge with NAT is learning the terminology that describes the different addresses on a network. Inside local addresses are internal to a network. The inside global address represents the public Internet address assigned to your router. Ouside global addresses represent all the hosts outside of your network attached to the Internet with Internet IP addresses. Finally, outside local addresses represent hosts outside your network as they are seen by the internal NAT hosts. Key Terms. Network Address Translation (NAT). Port Address Translation (PAT). Static NAT. Dynamic NAT. NAT Overload. private IP addresses. public IP addresses. inside local address. inside global address. outside local address. outside global address. port redirection. NAT pool

28 522 Chapter 14: Network Address Translation Apply Your Knowledge Exercises 14.1 Configuring NAT for a Home Network Enviroment You would like to deploy NAT on a home network. This network has five internal hosts and receives a public Internet IP address through DHCP on a DSL connection. The Cisco 1700 router should use NAT Overload to enable all internal clients to access the Internet. In addition, you would like to use Windows Remote Desktop Client (TCP Port 3389) to access your home PC ( ) from anywhere in the world. Figure 14.8 shows a picture of this home network with relavent addressing details. Home Network / Home_RTR DHCP-Assigned Internet IP Internet FIGURE 14.8 Home network diagram. Estimated Time: 5 10 minutes 1. This is something that any CCNA student can do at home, provided you have some type of highspeed Internet connection. The first thing you need to do is verify your router configuration and identify your inside and outside interfaces: Home_Router#show ip int brief Interface IP-Address OK? Method Status Protocol FastEthernet YES manual up up Ethernet YES DHCP up up Home_Router#configure terminal Enter configuration commands, one per line. End with CNTL/Z. Home_Router(config)#int fastethernet0 Home_Router(config-if)#ip nat inside Home_Router(config-if)#exit Home_Router(config)#int ethernet0 Home_Router(config-if)#ip nat outside

29 523 Apply Your Knowledge 2. Now you need to configure an access list that matches the internal IP addresses to be translated. Home_Router(config)#ip access-list? extended Extended Access List log-update Control access list log updates logging Control access list logging standard Standard Access List Home_Router(config)#ip access-list standard? <1-99> Standard IP access-list number < > Standard IP access-list number (expanded range) WORD Access-list name Home_Router(config)#ip access-list standard INSIDE_IP Home_Router(config-std-nacl)#permit? Hostname or A.B.C.D Address to match any Any source host host A single host address Home_Router(config-std-nacl)#permit ? A.B.C.D Wildcard bits log Log matches against this entry <cr> Home_Router(config-std-nacl)#permit Home_Router(config-std-nacl)#exit Home_Router(config)# 3. Now that the access list is defined, you can put the NAT Overload in action: Home_Router(config)#ip nat? inside Inside address translation log NAT Logging outside Outside address translation pool Define pool of addresses service Special translation for application using non-standard port translation NAT translation entry configuration Home_Router(config)#ip nat inside? destination Destination address translation source Source address translation Home_Router(config)#ip nat inside source? list Specify access list describing local addresses route-map Specify route-map static Specify static local->global mapping Home_Router(config)#ip nat inside source list? <1-2699> Access list number for local addresses WORD Access list name for local addresses

30 524 Chapter 14: Network Address Translation Home_Router(config)#ip nat inside source list INSIDE_IP? interface Specify interface for global address pool Name pool of global addresses Home_Router(config)#ip nat inside source list INSIDE_IP interface ethernet 0? overload Overload an address translation <cr> Home_Router(config)#ip nat inside source list INSIDE_IP interface ethernet 0 overload Home_Router(config)# 4. The NAT Overload configuration is in place; clients are now able to access the Internet with the single, DHCP-assigned address from the DSL provider. Now you need to configure your Static NAT entry to allow remote desktop access to your internal PC. Home_Router(config)#ip nat? inside Inside address translation log NAT Logging outside Outside address translation pool Define pool of addresses service Special translation for application using non-standard port translation NAT translation entry configuration Home_Router(config)#ip nat inside source? list Specify access list describing local addresses route-map Specify route-map static Specify static local->global mapping Home_Router(config)#ip nat inside source static? A.B.C.D Inside local IP address esp IPSec-ESP (Tunnel mode) support network Subnet translation tcp Transmission Control Protocol udp User Datagram Protocol Home_Router(config)#ip nat inside source static tcp? A.B.C.D Inside local IP address Home_Router(config)#ip nat inside source static tcp ? < > Local UDP/TCP port Home_Router(config)#ip nat inside source static tcp ? A.B.C.D Inside global IP address interface Specify interface for global address

31 525 Apply Your Knowledge Home_Router(config)#$ inside source static tcp interface ethernet 0? < > Global UDP/TCP port Home_Router(config)#$nside source static tcp interface ethernet The configuration is now complete. Exam Questions 1. You have an internal web server that has the IP address You need to enable this server to be accessed on TCP port 80 from the Internet; what would be the best solution for this situation? A. Static NAT B. Dynamic NAT C. NAT Overload D. Standard routing 2. Which of the following forms of NAT incorporate the source IP address (inside local) along with the source port number to make every translation unique? A. Static NAT B. Dynamic NAT C. NAT Overload D. NAT Port Mapping 3. Which of the following commands enables an FTP server with the inside local address to be accessed from a Serial0 interface (that is directly connected to the Internet)? A. ip nat inside source static tcp interface serial B. ip nat inside source static tcp interface serial 0 21 C. ip nat inside destination static tcp interface serial D. ip nat inside destination static tcp interface serial 0 21

32 526 Chapter 14: Network Address Translation 4. Refer to Figure 14.9; according to NAT terminology, the IP address for the server is considered an. A. Inside local address B. Inside global address C. Outside local address D. Outside global address Internal Network /24 Web Server Server NAT_Router Internet DNS Server Refer to Figure According to NAT terminology, the IP address is considered an. A. Inside local address B. Inside global address C. Outside local address D. Outside global address 6. Which of the following represent a private IP address? (Choose 2.) A B C D

33 527 Apply Your Knowledge 7. The configuration of Dynamic NAT requires the use of an, which is a list of the inside global addresses that the Cisco router will use when translating the inside local addresses. A. Inside interface B. Access list C. Outside interface D. IP NAT Pool 8. What command is necessary to designate the inside interface in a NAT configuration? A. nat interface inside B. nat inside interface C. ip nat inside D. ip inside interface 9. You would like to see the active NAT translations that are happening on your router. Your primary interest is in the inside local IPs that are being translated. What command shows you this information? A. show ip nat statistics B. show ip nat translations C. show ip interface D. show running-config 10. You have just changed one of your internal computer s IP addresses and it appears that it can no longer access the Internet. You have verified the correct subnet and gateway information. What commands should you perform on the router to ensure cached information does not play a role in this failure? (Choose 2.) A. clear arp B. clear ip route C. clear ip nat translations* D. clear startup-config

34 528 Chapter 14: Network Address Translation Answers to Exam Questions 1. A. Static NAT provides the best solution when you need a 1:1 translation from a private address or port number to a public address or port number. Answer B is incorrect because Dynamic NAT allows many hosts to be translated at the same time. Answer C is incorrect because NAT Overload allows many internal hosts to share a single Internet IP address. Answer D is also incorrect. Standard routing does not work because private addresses are blocked from traversing the Internet. 2. C. NAT Overload uses the source port number to send many unique requests out a single, public IP address. Answer A is incorrect because Static NAT performs 1:1 translations from public to private IP addresses. Answer B is incorrect because Dynamic NAT performs many 1:1 translations without requiring manual entries. Answer D is incorrect because NAT Port Mapping is not a valid form of NAT. 3. B. This syntax correctly lists the source address (inside local) and port number first and the inside global address and port second. The IP NAT inside destination syntax enables you to specify only a list of inside global addresses and does not work for this situation. Answers A, C, and D use invalid syntax. 4. A. Inside local addresses encompass any address on your internal network that is translated to the outside network via NAT. Answer B is incorrect because the inside global addresses are the IPs assigned to the outside interface of your router. Answer C is incorrect because the outside local addresses are outside (Internet) addresses as they appear to a NAT device. Answer D is incorrect because the outside global addresses are standard Internet-attached devices. 5. B. The inside global addresses are the IPs assigned to the outside interface of your router. Answer A is incorrect because inside local addresses encompass any address on your internal network that is translated to the outside network via NAT. Answer C is incorrect because the outside local addresses are outside (Internet) addresses as they appear to a NAT device. Answer D is incorrect because the outside global addresses are standard Internet-attached devices. 6. A, C. The private address ranges are 10.x.x.x, x.x x.x, and x.x. Answers B and D fall outside these ranges. 7. D. Dynamic NAT requires the use of an ip nat pool that lists the inside global addresses (typically Internet-valid) that will be used for the translation. Answer B is incorrect because access lists are used to define the inside local addresses that will be translated. Answers A and C are incorrect because the inside and outside interfaces must be defined, but do not define what addresses are to be translated. 8. C. The ip nat inside designates the inside interface to the NAT router. The other commands are considered invalid syntax.

35 529 Apply Your Knowledge 9. B. The show ip nat translations shows you all active translations currently in place on your router. It includes the inside local and global and the outside local and global addresses for each translation. Answer A is incorrect because the show ip nat statistics command tells you only how many translations are currently happening. Answer C is incorrect because the show ip interface command does not give you any NAT statistics, and answer D is incorrect because the show running-config command tells you only the NAT configurations you have set up. 10. A, C. The clear arp command ensures that the router does not have the incorrect MAC address mapped to the computer s IP address. The clear ip nat translations * command ensures that the cached NAT translations are not pointed to the wrong IP address. Answer B is incorrect. The clear ip route is not necessary because the routing table did not change, and could cause downtime for your router. Answer D is incorrect because the clear startupconfig does not remove any cached configuration. Suggested Reading and Resources 1. Cisco TAC NAT Configuration Syntax, product/software/ios122/122cgcr/fipr_c/ipcprt1/1cfipadr.htm#wp Ward, Chris and Cioara, Jeremy. Exam Cram 2 CCNA Practice Questions. Que Publishing, How Network Address Translation Works, nat1.htm